Privacy Policy
Basic information on data protection
The purpose of this document is to provide interested parties with basic information on the processing of personal data by the Fundación de la Comunitat Valenciana Centro de Estudios Ambientales del Mediterráneo – CEAM (hereinafter, the Foundation), for the exercise of its powers; all in compliance with articles 13 and 14 of the General Data Protection Regulation.
The personal data collected by the Foundation will be processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter GDPR), on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, and Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights.
Scope of application
This information applies to the fully or partially automated processing, as well as to the non-automated processing of personal data contained in a file or intended to be included.
Data Controller
In accordance with Article 4.7 of the GDPR, the Data Controller shall be “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing”; in this case, the Foundation should be considered as the controller.
In accordance with Decree 130/2012 of August 24, issued by the Consell, which establishes the organization of information security for the Generalitat, this responsibility will generally be exercised by the governing body with jurisdiction over the Foundation’s common services, without prejudice to the fact that in specific cases it may be exercised by the competent body or administrative unit. This circumstance will be recorded in the Foundation’s Register of Processing Activities (hereinafter RAT).
Record of Data Processing Activities (RAT)
In accordance with Article 30 of the GDPR, the updated list of processing activities carried out by the Foundation is available in the Register of Data Processing Activities published by the Foundation on its website:
Collection of personal data
Personal data collected directly or indirectly from interested parties will be treated confidentially and will be incorporated into one of the processing activities owned by the Foundation and listed in its RAT.
When personal data is obtained from the data subject, information about the processing will be provided clearly and intelligibly at the time of collection. If appropriate, the essential information about the processing will be provided on the data collection form, and a second layer of more detailed information will be indicated or linked from the form.
Uses and purposes
The processing of personal data will be in accordance with the functions of the Foundation and its use will be limited to those purposes for which it has been expressly collected.
If personal data is to be processed subsequently for a purpose other than that for which it was collected, the data subject shall be informed of this other purpose and provided with any other relevant additional information, unless the data subject already has this information.
The purpose of processing personal data will be that necessary for the administrative management and processing of the administrative procedures for which your data is requested, which will correspond to each of the processing activities carried out by the Foundation and which are accessible in the RAT.
No automated decisions will be made based on the processing of your personal data.
Legitimation for processing
In general, the legal basis that supports the processing of personal data by the Foundation is the fulfillment of legal obligations or the performance of actions in the public interest or in the exercise of public powers conferred on the Generalitat, in accordance with the rules that regulate the actions of public administrations and, in particular, Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations and Law 40/2015, of October 1, on the Legal Regime of the Public Sector, the Statute of Autonomy and the Government Law.
However, some treatments may require the consent of the individuals affected. In such cases, the Foundation will implement mechanisms to obtain this consent through a clear affirmative action by the individual, ensuring that evidence of this consent is preserved.
In cases where data processing is based on consent, the data subject may withdraw their consent at any time by contacting the Foundation’s offices at Parque Tecnológico, C/ Charles R. Darwin, 14 – 46980 – PATERNA – VALENCIA – SPAIN, or by sending an email to info@ceam.es. In such cases, the Foundation will cease processing the data. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
The legal basis that expressly authorizes each of the processing activities carried out by the Foundation can be found in the RAT (Regulations for the Processing of Personal Data). It is not considered appropriate to list all the regulations that establish the general framework for the controller’s actions, such as the Statute of Autonomy and other regulations that determine the powers and obligations of the Generalitat administration and its instrumental public sector. In this way, interested parties can easily access the regulation that legitimizes each processing activity.
According to the provision established in Article 14, paragraph 5.c) of the GDPR, data from processing activities that are the responsibility of the Consell administration or its instrumental public sector may be processed by bodies that have a supervisory, inspection or control function related to the exercise of public authority, provided that this access to the data is expressly contemplated in the regulations that govern them (General Intervention, General Inspection of Services, Data Protection Delegation).
Data retention
Generally, and without prejudice to the specific information published in the RAT (Register of Personal Data), the personal data processed by the Foundation will be kept for the time necessary to fulfill the purpose for which it is collected.
Once the data has been canceled or removed from processing, the Foundation may retain it to determine any potential liabilities that may arise from its processing or to allow its subsequent use, after the adoption of appropriate security measures, for historical, statistical, or scientific purposes.
Data communication
The data controller will not disclose or publish personal data without the consent of the data subjects, except in those circumstances provided for by applicable law. The recipients of data transfers for each processing activity can be found in the RAT .
Without prejudice to the exceptions specified in the RAT (Regulations for the Processing of Personal Data) because they are identified in the regulations that legitimize the processing, it may be necessary to communicate data or allow access, in certain circumstances and even if not expressly stated in the RAT, to the Ombudsman, the Catalan Ombudsman (Síndic de Greuges), the Courts, the Court of Auditors, the Catalan Audit Office (Sindicatura de Comptes), and the State Security Forces. In short, these are recipients to whom data must be communicated as required for investigative, infringement, or supervisory or control procedures. The Data Protection Officer of the Generalitat (Government of Catalonia) is in the same situation.
The Foundation will not use the data under any circumstances for commercial, advertising or any other purposes unrelated to its public powers.
Rights of interested parties
The interested party may exercise at any time the rights that the GDPR guarantees to data subjects, in accordance with articles 15 to 22, which are as follows:
RIGHT OF ACCESS: The interested party has the right to obtain from the Foundation confirmation as to whether personal data concerning him or her are being processed, and if so, has the right to access such data and information relating to the purposes, recipients, categories of data processed, their origin and retention period, complaints, existence of automated decisions with their consequences and all additional rights of rectification, erasure, limitation, objection and portability.
RIGHT OF RECTIFICATION AND DELETION: The interested party has the right to obtain from the Foundation the rectification of inaccurate or incomplete personal data concerning him or her, without undue delay.
You also have the right to request the erasure of your personal data. If there is no other legal basis for its retention, the Foundation will erase the data when it is no longer necessary or has been processed unlawfully, when you withdraw your consent for processing that requires it, or when you object to the processing.
RIGHT TO RESTRICTION: The interested party has the right to obtain from the Foundation the restriction of the processing of the data, in cases of challenge to the accuracy of the data, when the processing is unlawful and the person opposes the erasure of the personal data and requests instead the restriction of its use, when the affected person needs to keep the data to formulate or exercise claims or while it is verified whether the legitimate grounds of the administration prevail over those of the interested party in the event that the latter opposes the processing.
RIGHT TO OBJECT: The data subject has the right to object to the processing of personal data concerning him or her. The Foundation will cease processing this personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims.
RIGHT TO DATA PORTABILITY: Data subjects have the right to receive their personal data in a structured, commonly used, machine-readable, and interoperable format and to transmit those data to another controller, where the processing is based on consent or is necessary for the performance of a contract and is carried out by automated means. Data subjects also have the right, where technically feasible, to have their data transmitted directly from one controller to another. This right does not apply where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
RIGHT NOT TO BE SUBJECT TO AUTOMATED INDIVIDUAL DECISIONS: Every data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This refers to any form of processing of personal data that evaluates personal aspects. The controller must guarantee the right to obtain human intervention, express one’s point of view, and contest the decision. The right not to be subject to a decision does not apply if the decision is necessary for entering into, or performing, a contract, is based on explicit consent, or is authorized by a regulation applicable to the controller that lays down suitable measures to safeguard the rights and freedoms and legitimate interests of the data subject.
All the aforementioned rights, including the withdrawal of consent, are strictly personal and can therefore only be exercised by the data subject. However, the data subject may act through a representative in the cases and under the conditions provided for by applicable law.
These rights may be exercised by contacting the Foundation’s offices at
Technology Park – C/ Charles R. Darwin, 14 – 46980 – PATERNA – VALENCIA – SPAIN, or by sending an email to info@ceam.es. Application forms from the Spanish Data Protection Agency (AEPD) are available at https://www.aepd.es/reglamento/derechos/index.html.
POSSIBILITY OF CONTACTING THE DATA PROTECTION OFFICE
Interested parties may contact the Data Protection Officer of the Valencian Government regarding all matters relating to the processing of their personal data and the exercise of their rights under the GDPR.
Their contact details are:
Data Protection Officer of the Generalitat
Paseo de la Alameda, 16. 46010 Valencia
Email: dpd@gva.es
COMPLAINT TO THE SPANISH DATA PROTECTION AGENCY
Interested parties also have the option of filing a complaint with the national supervisory authority for data protection (Spanish Data Protection Agency – AEPD), especially when they have not received a satisfactory response in the exercise of their rights.
Puede contactar con ella a través del siguiente enlace https://www.aepd.es, o a través de su dirección física: C/ Jorge Juan, 6, 28001-Madrid.